Since it accepts the custom http header x-amzn-origin, it’s easy for any third party website to fake the requirement. Besides, this so called RESTful server is exposed on all interfaces (0.0.0.0), so don’t you Shodan or ZoomEye fans get excited?

Go back to the handlers.

Morpho::SystemHandler

It accepts arbitrary pathname, but don’t care the parameters at all. It will response basic system information like following:

Just few days ago I read an article telling that Spotify do the same as well:

Actually, we don’t even need DNS for this one. We can do the same as the embedded Spotify player does and send a request inside the victim’s browser to their local Spotify control server. We don’t even need to be Spotify. Authenticated requests between websites are fine. That’s something the internet just allows (with several extremely technical and complicated caveats).

What did Spotify Security say? That it’s a product decision and they’re fine with it. I tried to explain further but they confirmed, yes it’s a product decision and they’re fine with it. I’m also, to be fair, fine with posting the spotilocal.com certificate online. So I did. Well it’s removed now, so guess it wasn’t a product decision they wanted to keep WINKING EMOJI